If you wanted to eavesdrop on an analogue phone call, Graydon of the VoIP Security Alliance likes to note, you could. But you'd have to go to your local box store, pick up a box phone, two crocodile clips, a reflective vest and a helmet. Then learn some simple but arcane ways to tap the line. When you scurry up the pole, try not to look too conspicuous. Fake credentials like logos on the helmet help. If you want to eavesdrop on a VoIP call, though, you won't need to climb a pole. You'll still need some arcane knowledge to locate the data stream, but once you have that, all you need is a packet sniffer and software that converts the data into a WAV audio file (tools like Cain & Abel, a software program that can locate and record VoIP streams, are freely available on the Internet). Think of virtually any threat to data, whether it's malicious, accidental or a nuisance, and it will threaten VoIP in a way that it couldn't have easily threatened POTS. For example:

• Good old-fashioned power failures.

• Denial-of-service attacks and other nonmalicious network congestion that affects phone availability. Especially problematic if firewalls can't recognize voice traffic as distinct and requiring a higher quality of service, which immediately and severely disrupts voice availability.

• Eavesdropping and wiretapping. Used to log voice and keyed-in data, such as account numbers.

• Spoofing. Used in VoIP phishing, where a call will be ID'd as from your bank but is really being collected by baddies (doubly bad since it's a hack that preys on our inherent trust of the phone network; where most people have learned to distrust e-mail, the same is not true for the phone).

• Viruses and bots. Used to either destroy data or the device or to co-opt the phone into some other activity such as toll fraud-charging toll calls to other numbers, which Graydon says is "a lot easier on VoIP than the PSTN." It will be easier to place these viruses and bots into telephony because of the mix of devices interacting with the VoIP networks such as phones, mobile phones, BlackBerrys, computers and whatever other potentially vulnerable or infected application data happens to be on the network.

Risk: Round Two

The second form of risk is that with VoIP, there are simply more threats to exploit than there are on the phone. The openness - of protocols like IP and of infrastructure like the Internet's - that makes VoIP application-rich also makes it unimaginably hard to control, since it's open to everyone, including those who want to exploit it. As anyone who uses e-mail will tell you, along with the good - instant, cheap communications - you have to accept the bad - spam and malware. Bringing more applications to voice may increase its power and usefulness but it also opens up more threats, and that has to be balanced against the potential gains in productivity or efficiency. New threats include:

• SPIT, or spam over Internet telephony. An offshore alternative to telemarketing that could sidestep a national Do Not Call Registry. Graydon notes that a computer overseas could deliver 20,000 phone calls with a recorded sales pitch in five seconds.

• Logging. Privacy concerns abound for a technology that's far easier to capture, log and mine (maliciously or as a marketing tool) than analogue voice.

• Unsanctioned use. Internet voice services, such as Skype, can be downloaded and used by individuals as easily as an instant messenger, introducing all the threats of Internet voice without any of the controls.

• More computers. Advanced voice applications require advanced phones, and VoIP phones are essentially small computers. "IP phones are trickier than PBX digital phones," says Bob Litterer, information security manager at Genzyme, noting that IP phones constitute an additional burden to the telecomm administrators who must adequately provision and configure network resources and maintain IP phone firmware and software. "They require specific VLAN [virtual LAN] tagging in DHCP scopes, require tricky firmware upgrades, and they can crash at inconvenient times." In other words, they're as reliable (and risky) as PCs, not phones.